Overview
This article will introduce how to use Winlogbeat and Vector to collect Windows event log data in Honghuli, so that technicians can analyze Windows event log data more conveniently and efficiently in Honghuli.
Steps
Winlogbeat is an open source log data collector, specially used to collect event log data in Windows operating systems. It can collect various Windows event logs, such as Application, System and Security, etc. After installation on Windows, if you want to send the collected data to the console, just set output.console in the configuration file winlogbeat.yml, as shown below:
The following are two sample outputs (with cropping) after running winlogbeat.exe -c winlogbeat.yml. You can see that each line of data is in JSON format.
By the way, Winlogbeat will generate a data directory named data in the startup directory of the winlogbeat.exe process. If you want Winlogbeat to reacquire all event log data, you can delete the directory after the winlogbeat.exe process stops running, and then restart That’s it.
The next problem to be solved is how to send the collected Windows event log data to Honghu. Datadog’s Vector needs to be introduced here. As a popular open source data collection and transmission tool, Vector can flexibly collect data from different sources and send it to different targets.
We can call Winlogbeat through Vector's Exec method and use its output as a data source. Honghu directly supports receiving data from Vector, and the Windows event log data can be imported into Honghu by stringing the data streams together.
The template of the vector.toml configuration file can be obtained from Honghu's external data source management page. You need to set the necessary target data set and data source type information, here are test_winlog and json respectively. The content of the downloaded template is as follows:
We modify the configuration file content for Windows event log as follows:
In the configuration file, a data source named vector_input_config is first defined, and the type is specified as exec, indicating that an external command is to be executed. The command parameter specifies the complete command of Winlogbeat, and -c specifies the Winlogbeat configuration file path. Here it is C:\tools\winlogbeat.yml, which can be updated according to the actual configuration file location. The mode is streaming, which means the output data will be processed in real time.
Next, a data transformation named transform_fields is defined. _datatype and _target_table are Honghu's metadata, used to specify the data source type and target data set. _host and _source are also Honghu's metadata, used to specify the host of the data (the current host name is obtained here through the function get_hostname!() (https://vector.dev/docs/reference/vrl/functions/#get_hostname)) and source information.
Finally, two output targets named honghu and console are defined.
honghu is the output target for sending data to Honghu, specifying the address and version number. The console outputs data in the console for debugging. The configuration can be deleted after debugging.
Finally, we only need to run vector.exe -c vector.toml. If everything goes well, the data will be imported into Honghu. From Honghu's query interface, you can see that the data has been correctly extracted in JSON format to facilitate further analysis and processing.
